Learn more about these different git repos.
Other Git URLs
Fedora 24:
mod_ssl generates a selfsigned certificate. If you attempt to reuse this cert file and have cermonger manage it:
sudo ipa-getcert request -w \ -f /etc/pki/tls/certs/localhost.crt \ -k /etc/pki/tls/private/localhost.key \ -N overcloud-controller-0.ayoung-dell-t1700.test,O=ayoung-dell-t1700.test \ -K HTTP/overcloud-controller-0.ayoung-dell-t1700.test
The resulting cert is still the selfsigned, but listed as managed by the IPA CA.
When certmonger starts tracking a cert for the first time, it should probably do a sanity check of the issues. With a CA like IPA, it should treat it as a resubmit with a new CSR and the existing key.
To me, the big issue here is that apparently if a certificate is present in the -f file, 'getcert request' will just adopt it rather than requesting a new one. In the help message for getcert it says:
request request a new certificate from a CA start-tracking begin monitoring an already-issued certificate ...
Based on this, I would expect 'request' to always submit a request to the CA even if a certificate (self-signed or otherwise) is present locally. If you want to track but not resubmit an existing cert, the correct command is 'start-tracking'. However, this is not what happens:
[root@vm ~]# md5sum /etc/pki/tls/certs/localhost.crt c22ded4b3ad0561637b9a04de6503f9b /etc/pki/tls/certs/localhost.crt [root@vm ~]# ipa-getcert request -w -f /etc/pki/tls/certs/localhost.crt -k /etc/pki/tls/private/localhost.key New signing request "20160630181846" added. [root@vm ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20160630181846': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/localhost.key' certificate: type=FILE,location='/etc/pki/tls/certs/localhost.crt' CA: IPA issuer: E=root@vm.example.com,CN=vm.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- subject: E=root@vm.example.com,CN=vm.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- expires: 2017-06-30 18:15:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment pre-save command: post-save command: track: yes auto-renew: yes [root@vm ~]# md5sum /etc/pki/tls/certs/localhost.crt c22ded4b3ad0561637b9a04de6503f9b /etc/pki/tls/certs/localhost.crt [root@vm ~]# ipa-getcert resubmit -i 20160630181846 Resubmitting "20160630181846" to "IPA". [root@vm ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20160630181846': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/localhost.key' certificate: type=FILE,location='/etc/pki/tls/certs/localhost.crt' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.EXAMPLE.COM subject: CN=vm.example.com,O=DOMAIN.EXAMPLE.COM expires: 2018-07-01 18:19:41 UTC dns: vm.example.com principal name: host/vm.example.com@DOMAIN.EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@vm ~]# md5sum /etc/pki/tls/certs/localhost.crt e637e23503ccb2e11f0dee714ab7e32f /etc/pki/tls/certs/localhost.crt
Metadata Update from @benlipton: - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.